[thelist] Password "Protection"

Shawn K. Quinn skquinn at frogger.kicks-ass.net
Fri Jul 11 03:52:30 CDT 2003


On Thursday July 10 2003 08:30, Richard Morris wrote:
> A client has a web site with us and they have also developed a web
> site with another company to provide member benefits.
>
> Our site will soon linking to the other site but they've asked for
> this:
>
> "However, to make it look exclusive to members, can we put some
> password protection i.e. when you click the button to go to the
> [other] site it should give you a password box to fill in before it
> transfers you.
>
> "Obviously we can't verify the individual passwords, but as we have a
> common format for membership numbers; that can be the password, so if
> anyone puts in a number which is X and five digits it will transfer
> through to [the other site]. This will give it a sense of
> exclusivity. Can this be set up?"
>
> I've already said that there would be nothing to stop the visitor
> from bookmarking the (freely accessible) web site once they're there
> anyway, but presumably what we'd need is some method to seek a
> password in the form Xnnnnn that takes the visitor to a redirect
> page?
>
> Sounds like a JavaScript job?

Not if you want it to work reliably. If this is done anywhere, it should 
be on the server, where it can't be subverted. Viewing the document 
source would quickly show all the Javascript wants is "the letter X 
followed by 5 digits" and probably includes the URL to redirect to.

I don't know why they are insisting upon such a half-baked solution to a 
dubious problem. Frankly, were they my clients, I'd tell them this is 
more trouble than its worth, that you can't stop non-members from 
accessing a freely accessible Web site. This type of "security", 
especially implemented in Javascript, will make your client look silly 
once it's bypassed.

There should be a password associated with the member number too, or at 
the bare minimum, a database check that the member represented by that 
member number is valid and in good standing.

-- 
Shawn K. Quinn



More information about the thelist mailing list